ﺍﻟﻤﺠﻠﺔ ﺍﻟﻌﺮﺍﻗﻴﺔ ﻟﻠﻬﻨﺪﺳﺔ ﺍﻟﻜﻬﺮﺑﺎﺋﻴﺔ ﻭﺍﻻﻟﻜﺘﺮﻭﻧﻴﺔ Iraq J. Electrical and Electronic Engineering ﻣﺠﻠﺪ7, ﺍﻟﻌﺪﺩVol.7 No.2, 2011 2011 ,2 ______

oc s e a o a Co e gy, o e a d Co o as a U e s y, as a , aq 30 o o ec 0 0

Mosul University WLAN Security: Evaluation, Analysis and Improvement

Omar Ahmed Hachum Faculty Computer Eng. Dept., Engineering College Mosul University, Iraq Email: [email protected]

Abstract— In this paper, Mosul University Wireless Local II. HARDWARE/ USED IN THE Area Network (MUWLAN) security will be evaluated. The EVALUATION evaluation was made to test the confidentiality, integrity and availability of the MUWLAN. Addressing these issues will help in ensuring tighter security. After the evaluation, serious The equipments used in this evaluation are security pitfalls were found that can allow any attacker to have access to the MUWLAN and uses their internet service. 1. Omni-directional antenna: Based on the obtained results, suggestions for improvement  Gain: 15dBi. were made to tighten the security of Mosul University wireless  Operating frequency: 2.4GHz. local area network. 2. Coaxial cable:  Type: LMR 400. Keyword: - WLAN security, WEP encryption, PTW attack,  Length: 15m. Wireshark, MITM attack, SSLStrip attack. 3. Wireless LAN card:  D-Link DWL-G520 High Speed PCI I. INTRODUCTION Adapter (rev B).  802.11b/g compatible. Wireless access is quickly broadening network reach 4. Workstation with a -backtrack3 operating by providing convenient, and inexpensive access in hard- system (Linux version 2.6.21.5, gcc version 4.1.2) to-wire locations. Users are clamoring for WLAN access, installed in it. because it allows them to access their network and the Internet from anywhere in the workplace, without having that will be mentioned later in this paper can the wire environment. Administrators are attracted to be found pre installed in the except for WLAN because they are easier to install, flexible, and less SSLStrip software. expensive to maintain over the long term. WLAN has already made significant penetration into the education, hospitality, healthcare and financial industries, and III. EVALUATION PROCEDURE continually decreasing equipment prices should help drive adoption in other industries. As with any technology shift, This section will explain the main steps that have been migrating users to WLAN has its chief drawbacks concern. used to evaluate MUWLAN security. The chief concern is security problems [1]. A. Identifying Network SSID The term information security covers a wide array of activities in an organization. The design goals of a The Service Set Identifier (SSID), also known as the security topology must deal with issues of confidentiality, wireless network name, identifies the wireless network. The integrity, availability, and accountability. Addressing these SSID is a name configured on the wireless Access Point four issues as an initial part of the network design will help (AP) (for infrastructure mode) or an initial wireless client to ensure tighter security. It is often to see confidentiality, (for ad hoc mode) that identifies the wireless network. The integrity, and availability referred to as the CIA of network SSID is periodically advertised by the wireless AP or the security, but the accountability component is equally initial wireless client using a special 802.11 MAC important, design goals must identify who is responsible for management frame known as a beacon frame. One way to the various aspects of [2]. limit the visibility of a wireless network is to hide the SSID. Without knowing the SSID, client cannot send the In this paper, Mosul University Wireless Local association request frame to gain access to the WLAN [2]. Area Network (MUWLAN) will be evaluated to address the CIA network security principles [3][4][5]. Results was deleted or replaced with the symbol $ for security purposes.

138 ﺍﻟﻤﺠﻠﺔ ﺍﻟﻌﺮﺍﻗﻴﺔ ﻟﻠﻬﻨﺪﺳﺔ ﺍﻟﻜﻬﺮﺑﺎﺋﻴﺔ ﻭﺍﻻﻟﻜﺘﺮﻭﻧﻴﺔ Iraq J. Electrical and Electronic Engineering ﻣﺠﻠﺪ7, ﺍﻟﻌﺪﺩVol.7 No.2, 2011 2011 ,2 ______

The first main step was to capture and reveal all the wlan.bssid == 00:60:b3:$$:$$:$$ (2) network’s SSID transmitted through the air. Since the management frames used in the 802.11 has no means of TABLE 2 security, the attacker can easily gain useful information SSID’s containing the phrase Mosul University was captured in the range of the testing omni-directional antenna. about the WLAN. The SSID will be unhided simply by SSID MAC address analyzing 5 subtype frames of the main management frame as shown in Table 1. M0SUIUniVersiTy$$$$$ 00:60:B3:$$:$$:$$ TABLE 1 M0SUI0FUNlVeri$$$$$ 00:60:B3:$$:$$:$$ The Frame Body contents of a management frame depends on the frame subtype. [6]. M0SUIUNlVerSlT$$$$$ 00:60:B3:$$:$$:$$ M0SuLUniversiT$$$$$ 00:60:B3:$$:$$:$$ M0SUIUNlVersiT$$$$$ 00:60:B3:$$:$$:$$

In the captured data, the protected flag data was set to 1 so the data was WEP encrypted. The index key that was used to encrypt the data was key number 2 (starting from 0) as shown in Figure 1.

The WLAN card will capture all the frames in the air when it is operating in the monitor mode. The captured Figure 1 : Management frame captured using wireshark software showing wireless data is protect and the key number used to encrypt data. frames will be huge due to the fact the there are many wireless network broadcasting in Mosul City. Wireshark software [7], which will be pre installed under the operating B. Cracking WEP system, will be used to capture and filter the wireless traffic. The following filter will be used to instruct the The IEEE 802.11 standard defines the Wired wireshark to filter (i.e keep) frames contains subtypes Equivalent Privacy (WEP), encapsulation of 802.11 data number 0,2,4,5 and 8 (see Table 1). frames. The goal of WEP is to provide data privacy to the level of a wired network. wlan.fc.type_subtype == 0x00 || wlan.fc.type_subtype == 0x02 || Encryption in WEP uses a secret key, k, shared wlan.fc.type_subtype == 0x04 || between an access point and a mobile node. To compute a wlan.fc.type_subtype == 0x05 || WEP frame, the plaintext frame data, M, is first wlan.fc.type_subtype == 0x08 (1) concatenated with its checksum (M), to produce M • c(M) (where • denotes concatenation). Then, a per packet The wireshark will be used to capture all the initialization vector (IV) is prepended to the secret key, k, frames in the airwave channels ranging from (1~13). After to create the packet key, IV • k. The RC4 stream cipher is a while, all the SSIDs in the range of the omni-directional then initialized using this packet key, and the output bytes antenna were revealed. After reviewing all the SSID names. of the cipher are exclusive-ored (denoted ) with the Table 2 summarizes all the APs with the SSID’s including checksummed plaintext to generate the ciphertext [8]: the phrase Mosul University. C = (M • c(M)) RC4(IV • k) Upon identifying more than one AP that belongs to the MUWLAN, one AP will be selected to penetrate The extension of Klein's attack which is optimized for MUWLAN. The AP with the following SSID usage against WEP [9], also known as PTW attack (PTW M0SuLUniversiTy$$$$$ will be selected. To find if this AP stands for the initial letters from the names of this attack uses any mean of data encryption. The data frames sent and creators, Andrei Pyshkin Erik Tews , Ralf-Philipp received by this AP will be captured by applying the Weinmann ,) was used on MUWLAN and that attack can following filter to the captured data. be easily done by using aircrack-ng software on enough

139 ﺍﻟﻤﺠﻠﺔ ﺍﻟﻌﺮﺍﻗﻴﺔ ﻟﻠﻬﻨﺪﺳﺔ ﺍﻟﻜﻬﺮﺑﺎﺋﻴﺔ ﻭﺍﻻﻟﻜﺘﺮﻭﻧﻴﺔ Iraq J. Electrical and Electronic Engineering ﻣﺠﻠﺪ7, ﺍﻟﻌﺪﺩVol.7 No.2, 2011 2011 ,2 ______

captured encrypted data packets. After capturing enough the wireless client MAC address can be found as shown in data and applying PTW attack, WEP key for the SSID Figure 3. M0SuLUniversiTy$$$$$ used by the MUWLAN AP is found and as shown in Figure 2.

Figure 3 : The WLAN IP address and MAC address of one MUWLAN client.

B. Network subnet mask Figure 2 : WEP key was found using PTW attack on enough captured data. Since there is no DHCP server, finding subnet mask will be Now all the capture data traffic from tricky. The following filter will be applied to the wireless M0SuLUniversiTy$$$$$ can be decrypted using the WEP traffic to capture only the broadcast traffic (destination key. The idea now is to consume the identity of a MAC address equals all 1’s) on the network. MUWLAN client and enters the MUWLAN when the client is offline. wlan.bssid == 00:60:b3:$$:$$:$$ && wlan.da == ff:ff:ff:ff:ff:ff && IV. WLAN PACKETS ANALYSIS ip.dst >= 172.20.0.1 && ip.dst<= 172.20.255.255 (5) After the WEP key was found, the attacker can now analyze all the traffic (data) between the wireless clients This can be accomplished by checking the and the AP. To have the right to use the services provided destination IP address of that broadcast packets as shown in by the MUWLAN, such as the internet service, the Figure 4. configuration of the MUWLAN wireless client must be known and they are:

 IP and MAC address.  Subnet mask.  IP address of the gateway.  IP address of the DNS server.

The easiest way to find these parameters is to search for DHCP packets replies or offers in the captured data. So the following filter will be applied to the captured data:

wlan.bssid == 00:60:b3:$$:$$:$$ && bootp.type == 2 (3)

Unfortunately for the attacker, no DHCP replies or offers packed was captured.

A. IP and MAC address. Figure 4 : The broadcast IP address obtained after filtering the captured data.

The IP address of the wireless client can be easily The majority destination IPs was 172.20.90.255, thus it found by applying the following filter on the wireless is obvious that the subnet mask must be 255.255.255.0 traffic (data) of the MUWLAN. C. IP address of the gateway wlan.bssid == 00:60:b3:$$:$$:$$ && ip (4) By checking the MAC addresses (Destination and The majority of IPs found in the captured data was Source) of the wireless traffic, it is easy to find the gateway class B privet IP address. So, it’s a matter of time, when MAC address, because that MAC address will be the these clients are offline, the attacker can consume any IP dominating one. Since all the traffic must be sent to the address and access the network. Also from the same packet, gateway to access the internet, clients want to access the

140 ﺍﻟﻤﺠﻠﺔ ﺍﻟﻌﺮﺍﻗﻴﺔ ﻟﻠﻬﻨﺪﺳﺔ ﺍﻟﻜﻬﺮﺑﺎﺋﻴﺔ ﻭﺍﻻﻟﻜﺘﺮﻭﻧﻴﺔ Iraq J. Electrical and Electronic Engineering ﻣﺠﻠﺪ7, ﺍﻟﻌﺪﺩVol.7 No.2, 2011 2011 ,2 ______

Internet will have to pass through the gateway. Therefore the same MAC address will be fixed in all the packets while a verity of destination IP or source IP addresses that will not falls into the 172.20.90.0 will belong to the same MAC address. To find the IP address that belong to that MAC address, all the packets that have the gateway MAC address as a destination and its IP address will fall into class B network address also a destination will be filtered using the following filter.

wlan.bssid == 00:60:b3:$$:$$:$$ && wlan.da == 00:06:5b:$$:$$:$$ && ip.dst>=172.20.90.1 && ip.dst<=172.20.90.254 (6)

After filtering the captured data as shown in Figure 5, the IP gateway is identified as 172.20.90.2. Figure 6 : The IP address of the DNS server obtained after filtering the captured data.

V. BYPASSING THE 24 ONLINE SOFTWARE.

Mosul University uses 24 online software from Elitecore Technologies Limited for billing and bandwidth management. For authenticating, the user to access the internet, it uses web-based logging on technique that asks the client to enter user name and password in order to access the internet. Any request to access the internet using MUWLAN will show up a web page asking the user to enter his/her user name only once to authenticate.

By viewing the source code of the client logging webpage, no means of security was found. Therefore, the user name and the password will be sent as a plain text. It is easy to catch the user name and password if the attacker lies between the wireless the client and the wireless AP of Figure 5 : The IP address of the gateway obtained after filtering the captured data. MUWLAN. Since the gateway is also the 24 online server, the following filter will capture all the user names and D. IP address of the DNS server passwords that will be sent to the gateway using http protocol only as shown in Figure 7. Finding the IP address of the DNS server will not be a hard task, because when a client want to visit any website wlan.bssid == 00:60:b3:$$:$$:$$ && using webpage Uniform Resource Location (URL), internet ip.dst==172.20.90.2 && browser must know the IP address that belongs to the given http contains _Pass (8) URL. This can be done by using DNS server. Capturing any response from a DNS server to a client can recover the Now it’s easy for the attacker to access MUWLAN and DNS server IP address. The following filter was used to uses the internet service. Also it is easy for the attacker to capture such a response. change the password of the client perverting the real client from accessing the internet. wlan.bssid == 00:60:b3:$$:$$:$$ && ip.dst>=172.20.90.1 && Also, by viewing the administration logging web ip.dst<172.20.90.254 && page, it shows no means of security. Therefore, if the dns.response_to (7) attacker lies between the administration’s PC and AP of the Mosul University, it will be a matter of time till the For MUWLAN, The IP address of the DNS server is the administration access the 24 online server wirelessly and same IP address of the gateway which is 172.20.90.2 as then the attacker can have both the user name and the shown in Figure 6. password of the 24 online server.

141 ﺍﻟﻤﺠﻠﺔ ﺍﻟﻌﺮﺍﻗﻴﺔ ﻟﻠﻬﻨﺪﺳﺔ ﺍﻟﻜﻬﺮﺑﺎﺋﻴﺔ ﻭﺍﻻﻟﻜﺘﺮﻭﻧﻴﺔ Iraq J. Electrical and Electronic Engineering ﻣﺠﻠﺪ7, ﺍﻟﻌﺪﺩVol.7 No.2, 2011 2011 ,2 ______

server. In this attack both the gateway and the victim’s PC must be ARP cache poisoned and that can be done using software.

After implementing ARP cache poisoning, all the traffic between the gateway and the victim’s PC is now passing through the attacker’s PC. The attacker can use SSLStrip -0.4 tool[11] which is not installed under the Figure 7 : Captured user name and password sent from client to the backtrack operating system but can be found free in the MUWLAN AP. internet.

VI. APPLYING MAN IN THE MIDDLE ATTACK The main job of this tool is to strip every HTTPS (MIMT) link contained in a web page requested by the victim into an HTTP link, When the victim tries to access a web site The attacker now is a ligament user. The following using HTTPS by typing for example http://www.gmail.com attacks can be used not for a wireless networks only but or by click on a hyperlink, the attacker will catch that also can be implemented against wired networks. All the request and start new HTTPS session between him (the above evaluation measurements used passive attacks only, attacker) and gmail as shown in Figure 8. but the attacker can use an active attack such as MITM attack that will be started using the famous ARP poisoning attack.

ARP allows the network to translate IP addresses into MAC addresses. When one host using TCP/IP on a LAN tries to contact another, it needs the MAC address or hardware address of the host it’s trying to reach. It first Figure 8 : Attacker will uses stripssl tool between the server and the looks in its ARP cache to see if it already has the MAC victim’s PC . address; if it doesn’t, it broadcasts an ARP request asking, “Who has the IP address I’m looking for?” If the host that Now gmail will send its login web using HTTPS has that IP address hears the ARP query, it responds with protocol to the attacker. The attacker will send the same its own MAC address, and a conversation can begin using web page to victim using HTTP. The difference between TCP/IP. ARP poisoning is a technique that’s used to attack the HTTPS gmail login web page and the HTTP gmail an Ethernet network and that may let an attacker sniff data login web page is shown in Figures 9 and 10 respectively. frames on a switched LAN or stop the traffic altogether. The victim will enter his/her user name and password and press the login button and that page will be sent to the ARP poisoning utilizes ARP spoofing where the attacker in plain text using HTTP. The attacker now can use purpose is to send fake, or spoofed, ARP messages to an the received user name and password and login to the Ethernet LAN. These frames contain false MAC addresses HTTPS gmail account. After that, gmail will send the inbox that confuse network devices such as network switches. As web page to the attacker and in return the attacker will a result, frames intended for one machine can be decrypt the inbox web page using the shared key received mistakenly sent to another (allowing the packets to be during the ssl handshaking protocol and redirect that page sniffed) or to an unreachable host (a Denial of Service using HTTP to the victim’s PC. Now the victim can browse [DoS] attack). ARP spoofing can also be used in a man-in- his/her email without knowing that his/her user name and the-middle attack in which all traffic is forwarded through a password is caught by an attacker. host by means of ARP spoofing and analyzed for passwords and other information[10]. SSLStrip attack was implemented on the MUWLAN against Yahoo! , gmail, and hotmail email Poisoning ARP cache table can be done using accounts and Figure 11 shows the obtained result. Ettercap software that is preinstalled in the backtack3 operating system. Ettercap can ARP poising the victim’s PC only or both the victim’s PC and the gateway so that all the traffic between the victim’s PC and the gateway will be passed through the attacker’s PC.

A. SSLStrip attack.

The main trick of this attack is that people access HTTPs web site through HTTP and HTTP is not secure. Most of the people access Yahoo!, gmail and hotmail by click on hyperlink embedded in html web pages or by typing for example http://www.gmail.com and less of them is using the https://www.gmail.com to access the emails

142 ﺍﻟﻤﺠﻠﺔ ﺍﻟﻌﺮﺍﻗﻴﺔ ﻟﻠﻬﻨﺪﺳﺔ ﺍﻟﻜﻬﺮﺑﺎﺋﻴﺔ ﻭﺍﻻﻟﻜﺘﺮﻭﻧﻴﺔ Iraq J. Electrical and Electronic Engineering ﻣﺠﻠﺪ7, ﺍﻟﻌﺪﺩVol.7 No.2, 2011 2011 ,2 ______

Figure 9: gmail login web page using HTTPS. Alliteratively, clients can install ArpON software or any other operating system compatible ARP cache protection software.

VIII. CONCLUSIONS

This paper revealed that any attacker can have all the information to access the MUWLAN and to uses their services such as the internet and can change the password of the real clients. The confidentiality issue is also broken since anyone has the WEP key can monitor the wireless client’s traffic. Integrity issue is broken too, since that attacker can manipulate the data sent through MUWLAN Figure 10: gmail login web page using HTTP. using SSLStrip attack. Availability issue is also broken, since the attacker can change the password of the logging web page making the attacker is the legitimate user and the client is the rogue user so the internet service will be unavailable to the client at the time when the real client wants to access the internet. Based on the obtained results, suggestions for improvement were made to tighten the security of Mosul university wireless local area network. Figure 11 : The SSLStrip log file reveling captured user name and password for Yahoo!, gmail and hotmail accounts. REFERENCES [1] Wang Shunman, TaoRan, WangYue, ZhangJi, "WLAN and its VII. IMPROVING MUWLAN SECURITY Security Problems ", IEEE , Proceedings of the Fourth International Conference on Parallel and Distributed Computing, Applications and Technologies, pp. 241- 244 ,2003. [2] Emmett Dulaney, “CompTIA Security+ Study Guide: Exam SY0- The big question is how to improve the security of the th Mosul University wireless network. Let’s review the steps 201”, Sybex publisher, 4 edition, 2008, ISBN-13: 978-0470372975. [3] James M. Stewart, Ed Tittel, Mike Chapple, “CISSP: Certified led to crack the wireless network and try to solve them one Information Systems Security Professional Study Guide”, Sybex, 4th by one. edition, 2008, ISBN-13: 978-0470276884. [4] Susan Snedaker, “Syngress IT Security Project Management st First: it is good that MUWLAN hides the SSID of their Handbook”, Syngress publisher, 1 edition, 2006, ISBN-13: 978- 1597490764. APs but it’s a matter of time till a client send some type of [5] Mizhael Horton, Clinton Mugge, “HackNotes(tm) Network Security frame that leads to unhide them. But the attacker can’t tell Portable Reference”, McGraw-Hill Osborne publisher, 1st edition, if those APs are belong to the Mosul university or not if the 2003, ISBN-13: 978-0072227833. SSID have a name that not related to Mosul University [6] Neeli Prasad, Anand Prasad, “WLAN Systems & Wireless IP for Next Generation Communications ”, Artech House publishers, 2002, such as Network1 or any other name without containing the ISBN-13: 978-1580532907 phrase Mosul University or University name in the SSID [7] Angela Orebaugh, Gilbert Ramirez, Jay Beale, Joshua Wright, filed. Because these names will be a hint to the attacker to “Wireshark Network Analysis: The Official Wireshark Certified attack these APs. Network Analyst Study Guide”, Syngress publisher, 2007, ISBN-13: 978-1597490733. [8] Adam Stubblefield, John Ioannidis, Aviel D. Rubin, “Using the Second: changing static WEP is important to the latest Fluhrer, Mantin, and Shamir Attack to Break WEP”, AT&T Labs wireless encryption suit such as enterprise WPA2. Technical Report TD-4ZCPZZ , 2001. [9] Erik Tews , Ralf-Philipp Weinmann , Andrei Pyshkin, “Breaking 104 Bit WEP in Less Than 60 Seconds”, Springer, Vol. 4867/20082,2008. Third: Secure the login access by using MD5 based login [10]Kimberly Graves, “CEH ™ Official Certified Ethical Hacker Review software since the user name and the password of the Guide”, Wiley publishing, Inc, 2007, ISBN-13: 978-0782144376. 24online can be cached with or without using SSL login [11]Moxie Marlinspike, “New Tricks For Defeating SSL In Practice”, access. Black Hat conference,USA-DC,2009.

Four: To stop ARP poising attack, it is good idea that both gateway and client involved in the protection process since attacker can attack only the client, even when there is an ARP poisoning watcher installed at the gateway. At the server side, ArpON software can be installed and it can detect and prevent an ARP poisoning attack. At the client side, static ARP cache table can be implemented easily since the only important IP in the network will be the gateway IP, clients can add static entry to the ARP cache table using the following windows command

arp -s IP address MAC address

143